Logstash multiline source validation

mkalinowski · November 18, 2019, 3:42pm

Hello,

I am in the process of building ELK infrastructure for my systems.
I have several filebeats and so far one logstash.
I have several Java servers and apache servers.

As we all know, we have something like stacktrace on Java servers

Ultimately, my colleague wants to assemble resources and make one filebeat.

And now my dilemma

Is there a possibility that if some stackctace is sent, then some other log may interrupt multitiline.

E.g. Stacktrace goes and has 100 lines. In the meantime, apache or another Java server sends a different log. Is this a problem that multiline may have a problem with?

Does the multiline module verify the source?

If there is a problem here, is there a solution?

It would be best if the whole solution was based on the logstash itself.

THX,
Maciej

Badger · November 18, 2019, 4:08pm

Yes, this is exactly why the documentation says to do multiline processing in filebeat, and not in a multiline codec on a beats input.

mkalinowski · November 18, 2019, 4:44pm

Ok. It makes sense

In that case we are moving multiline to filebeat.

Let's assume that this filebeat will have eg 5 Java servers connected. Will filebeat know what to assign? Do I parse files "separately"? Will I have to install filebeat per Java server?

THX,
Maciej

system · December 16, 2019, 4:44pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Filebeat with multiline vs. multiline logstash codec Beats filebeat	8	4512	July 5, 2017
Filebeat vs logstash for handling multiline Logstash	7	1428	May 7, 2017
Filebeat Multiline log lines are not matching with logstash and kibana Beats filebeat	3	628	November 25, 2016
Strange behavior with ELK setup Logstash	9	603	August 9, 2017
Is Logstash beats input with multiline codec allowed or not? Logstash	3	1048	November 18, 2021

Logstash multiline source validation

Related topics